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1. Introduction 


The Controls Catalog maps requirements of the Transparency & Consent Framework Policies and the corresponding Technical 
Specifications to auditable elements that can help participants in assessing and reviewing the compliance of their TCF 
implementations. 


The Controls Catalog also includes the description of the applicable enforcement procedures in case of non-compliance with the TCF 
Policies or Technical Specifications under the TCF Compliance programmes. Please note that while the Controls Catalog describes 
the primary checks IAB Europe performs to verify compliance of TCF participants in the context of the TCF Compliance Programmes, 
IAB Europe will continue monitoring compliance with all TCF Policies and adopting enforcement measures where non-compliance is 
identified, in line with its prerogatives under the TCF Policies and Terms and Conditions. 


2.Enforcement procedures 


The TCF Compliance Programmes set forth differentiated enforcement procedures according to the nature of the non-compliance 
with the TCF Policies or Technical Specifications. The Controls Catalog below indicates which procedure is applicable in the case of 
a particular breach. 


Procedure n°1: Tampering of TC Strings by CMPs & Vendors’ live installations 
Where a live CMP or Vendor installation is found to be tampering with TC Strings, the following process applies: 
- Participant receives a formal suspension notice via email; 


- Immediate suspension from the GVL or CMP list fora minimum of 4 weeks and until the issue is resolved; 
- Public notification of non-compliance to the TCF Community, including facts and reasoning; 
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- If this is the fourth time within a twelve month period that the participant has been found tampering with TC Strings, it will be 
notified and permanently suspended from the GVL or CMP list. 


Procedure n°2: Other material breach of the TCF Policies by CMPs & Vendors’ live installations 


Where a live CMP or Vendor installation is found in breach of the TCF Policies (except in cases of TC String tampering), the 
following process applies: 


- Participant receives a formal suspension warning via email; 

- CMPs are given 10 business days to remedy the issues, Vendors are given 20 business days to remedy the issues; 

- If, following the expiration of the delay, the issues have not been resolved, the participant will receive a suspension notice via 
email and will be suspended from the GVL or CMP list until the issues have been remedied; 

- If this is the fourth time within a twelve month period that the participant has been found in breach of the TCF Policies, it will 
be notified via email and suspended from the GVL or CMP list with immediate effect for a minimum of 2 weeks and until all 
issues are resolved. 


Procedure n°3: Vendors’ information required for inclusion in the GVL is incomplete or inaccurate 


Where a Vendor has provided inaccurate or incomplete information requested to register to the GVL, the following process 
applies: 


- Vendor receives a formal suspension warning via email; 

- Vendor is given 5 business days to remedy the issues; 

- If, following the expiration of the delay, the issues have not been resolved, the Vendor will receive a suspension notice via 
email and will be suspended from the GVL until the issues have been remedied; 

- If this is the fourth time within a twelve month period that the Vendor has been found in breach of the TCF Policies, it will be 
notified via email and suspended from the GVL with immediate effect for a minimum of 1 week and until all issues are 
resolved. 
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3.CMP Checklist 


Number 


Audited element 


Are consent signals in the TC 
String created after affirmative 
action by the user? 

For this check to pass, there must 
be either a) no TC String or b) all 
purpose and vendor consent signals 
must be set to 'no’. 


If a 'Reject All' option is provided 
in the user interface, when the 
user clicks on it, are all consent 
signals for purposes and vendors 
set to 'off'? 

This check fails if there are any 
positive purpose or vendor consent 
signals after the user clicks 'Rejects 
All’. 


TCF policies references 


Technical Checks 


Chapter II: Policies for CMPs; 5(3). 

A CMP must only generate a positive consent Signal on the 
basis of a clear affirmative action taken by a user that 
unambiguously signifies that user’s agreement on the basis of 
appropriate information in accordance with the law. 


Chapter II: Policies for CMPs; 5(3). 

A CMP must only generate a positive consent Signal on the 
basis of a clear affirmative action taken by a user that 
unambiguously signifies that user’s agreement on the basis of 
appropriate information in accordance with the law. 


Applicable 
enforcement 
procedure 


Does the API return an updated 
TC string after a change of users’ 
choices made in the CMP UI? 

This check fails if the purpose and 
vendor consent or LI signals do not 
map the disclosures provided and 
choices made in the CMP UI. 


Did all 
commands 
response? 
This check fails if any of the 
following mandatory CMP API 
commands does not return an 
expected response: ping, 
addEventListener, 
removeEventListener. 


CMP API 
return a 


required 
correct 


Is the CMP registered? 
CMP is registered as a participant 
of a Transparency and Consent 


Chapter II: Policies for CMPs; 5(3). 

A CMP must only generate a positive consent Signal on the 
basis of a clear affirmative action taken by a user that 
unambiguously signifies that user’s agreement on the basis of 
appropriate information in accordance with the law. 


Chapter Il: Policies for CMPs; 5(4). 

A CMP must only generate a positive legitimate interest Signal 
on the basis of the provision of transparency by the CMP about 
processing on the basis of a legitimate interest and must always 
generate a negative legitimate interest Signal if the user has 
indicated an objection to such processing on the basis of a 
legitimate interest. 


Chapter II: Policies for CMPs; 5(5). 

A CMP must only generate a positive opt-in Signal for Special 
Features on the basis of a clear affirmative action taken by a 
user that unambiguously signifies that user’s agreement on the 
basis of appropriate information. 


CMP API v2.1 technical specifications. 
All CMPs must support three required API commands: ‘ping’, 
‘addEventListener' and 'removeEventListener'. 


Chapter Il: Policies for CMPs; 2(1). Applying and registering. 
CMPs must apply to IAB Europe for participation in the 
Framework. IAB Europe shall take reasonable steps to vet and 


Framework and included in the 
CMP List. 


Iis the 
correct? 
This check fails if the GVL version 
number is 0 or a number higher 
than the latest version of the GVL. 


GVL version format 


Is the current or penultimate 
version of the GVL being used? 
This checks fails if the version of the 
GVL being used is not the current or 
last version of the GVL (the last 
version of the GVL is acceptable as 
the GVL may be cached for up to 
one week meaning that the cached 
version could be 1 version 
out-of-date). 


Is the max vendor id less than or 
equal to the highest id in the 
GVL? 

This check fails if the max vendor id 
for consent or legitimate interest is 
not less than or equal to the highest 
vendor id in the GVL being used by 
the CMP. 


approve a CMP’s application according to procedures adopted, 
and updated from time to time, by the MO. 


Chapter Il: Policies for CMPs; 4(3). 

A CMP must disclose Vendors’ GVL information, including Legal 
Bases, as declared, and update Vendors’ GVL information, 
including Legal Bases status in the Framework, wherever stored, 
according to the Specifications, without extension, modification, 
or supplementation, except as expressly allowed for in the 
Specifications. 


Chapter II: Policies for CMPs; 4(3). 

A CMP must disclose Vendors’ GVL information, including Legal 
Bases, as declared, and update Vendors’ GVL information, 
including Legal Bases status in the Framework, wherever stored, 
according to the Specifications, without extension, modification, 
or supplementation, except as expressly allowed for in the 
Specifications. 


Chapter II: Policies for CMPs; 4(1). 
In addition to implementing the Framework according to the 
Specifications, a CMP must support the full Specifications, 
unless the Specifications expressly state that a feature is 
optional, in which case a CMP may choose to implement the 
optional feature but need not to do so. 
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Are purposes 1, 3, 4, 5 and 6 set 
to 'no' for legitimate interest? 
Vendors cannot base processing for 
Purposes 1, 3, 4, 5 and 6 on 
Legitimate Interest. 


Do the Created and LastUpdated 
fields have the same value? 

As a result of the limited relevance 
of the Created field for publishers 
and their CMPs to remind users of 
their choices, the Created and 
LastUpdated fields have been 
updated to have the same value. 


Are the Created and LastUpdated 
timestamps imprecise? 

This check fails if the Created and 
LastUpdated timestamps do not 
have hours, minutes and seconds 
properly zeroed out. 


Are all vendor signals for deleted 
vendors set to 0? 
This check fails if there are any 


positive vendor consent or LI 
signals for vendors that are marked 
as deleted in the version of the GVL 
being used. 


Chapter Il: Policies for CMPs; 5(6). 

A CMP will establish Legal Bases only in accordance with the 
declarations made by Vendors in the GVL and using the 
definitions of the Purposes and/or their translations found in the 
GVL, without extension, modification, or supplementation, except 
as expressly allowed for in the Policies. 


Chapter Il: Policies for CMPs; 4(1). 
In addition to implementing the Framework according to the 
Specifications, a CMP must support the full Specifications, 
unless the Specifications expressly state that a feature is 
optional, in which case a CMP may choose to implement the 
optional feature but need not to do so. 


Chapter II: Policies for CMPs; 4(1). 
In addition to implementing the Framework according to the 
Specifications, a CMP must support the full Specifications, 
unless the Specifications expressly state that a feature is 
optional, in which case a CMP may choose to implement the 
optional feature but need not to do so. 


Chapter II: Policies for CMPs; 5(6) 

A CMP will establish Legal Bases only in accordance with the 
declarations made by Vendors in the GVL and using the 
definitions of the Purposes and/or their translations found in the 
GVL, without extension, modification, or supplementation, except 
as expressly allowed for in the Policies. 


Policies Checks 
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Initial layer checks 


Is the Ul prominently displayed, | Appendix B, Policy C(a). 

covering most of the website | When providing transparency about Purposes, Features and 

content? Vendors in connection with requesting a user’s consent for the 
same, the Framework Uľs must be displayed prominently and 
separately from other information, such as the general terms and 
conditions or the privacy policy, in a modal or banner that covers 
all or substantially all of the content of the website or app. 


Is the Ul displayed separately | Appendix B, Policy C(a). 

from other information such as | When providing transparency about Purposes, Features and 

terms and conditions or the | Vendors in connection with requesting a user’s consent for the 

privacy policy? same, the Framework Uľs must be displayed prominently and 
separately from other information, such as the general terms and 
conditions or the privacy policy, in a modal or banner that covers 
all or substantially all of the content of the website or app. 


Does the ‘1st layer of the UI | Appendix B, Policy C(b)(I). 
provide information about the | Must include information about the fact that information is stored 
storage and access of | on and/or accessed from the user’s device (e.g. use of cookies, 
information from the user’s | device identifiers, or other device data); 
device by third-party vendors? 
Appendix B, Policy C(b)/(IIl). 
Must include information about the fact that third party Vendors 
will be storing and/or accessing information from the user’s 
device and processing their personal data, the number of third 
party Vendors (which may also include Vendors not participating 
in the Framework), and a link to the list of named third parties. 


Does the ‘1st layer of the UI | Appendix B, Policy C(b)(II). 
provide information about the | Must include information about the fact that personal data is 


processing of personal data by 
third party Vendors? 


Does the ‘1st layer of the Ul 
provide an example of personal 
data processed? 


Is there a direct link to the list of 
third parties in the 1st layer of the 
UI? 


Does the 1st layer of the Ul 
provide information about the 
Purposes and/or Stacks and 
Special Features used by third 
parties? 


Does the ‘1st layer of the UI | Appendix B, Policy C(b)(VII). 


processed, and the nature of the personal data processed (e.g. 
unique identifiers, browsing data); 


Appendix B, Policy C(b)(IIl). 

Must include information about the fact that third party Vendors 
will be storing and/or accessing information from the user’s 
device and processing their personal data, the number of third 
party Vendors (which may also include Vendors not participating 
in the Framework), and a link to the list of named third parties. 


Appendix B, Policy C(b)(Il). 

Must include information about the fact that personal data is 
processed, and the nature of the personal data processed (e.g. 
unique identifiers, browsing data); 


Appendix B, Policy C(b)(IIl). 

Must include information about the fact that third party Vendors 
will be storing and/or accessing information from the user’s 
device and processing their personal data , the number of third 
party Vendors (which may also include Vendors not participating 
in the Framework), and a link to the list of named third parties. 


Appendix B, Policy C(b)(IV). 

Must include the list of the distinct and separate Purposes for 
which the Vendors are processing data, using at least the 
standardised names and/or Stack names as defined in Appendix 
A. 


Appendix B, Policy C(b)(V). 
Must include information about the Special Features used by the 
Vendors when processing data. 


provide information about the 
scope of the consent choice, i.e. 
service-specific consent or 
group-specific consent? 


Does the ‘1st layer of the Ul 
inform the user that they can 
withdraw their consent at any 
time and how to do so? 


Are there calls to action in the 1st 
layer for users to express 
consent (e.g. “accept”) and 
customise their choices (e.g. 
"manage options’)? 


Do the two primary calls to action 
on the 1st layer have matching 
text treatment and, for each, a 
minimum contrast ratio of 5:1? 


Must include information about the scope of the consent choice, 
ie. service-specific consent, or group-specific consent. If 
group-specific consent, a link with information about the group. 


Appendix B, Policy C(b)(VIII). 
Must include information about the fact that the user can 
withdraw their consent at any time, and how to resurface the 
Framework UI in order to do so. 


Appendix B, Policy C(b)(Il). 

Must include information about the fact that personal data is 
processed, and the nature of the personal data processed (e.g. 
unique identifiers, browsing data). 


Appendix B, Policy C(b)(X). 
Must include a call to action for the user to express their consent 
(for example “Accept”, “Okay”, “Approve”, etc.). 


Appendix B, Policy C(b)(XI). 

Must include a call to action for the user to customise their 
choices (for example “Advanced Settings”, “Customise Choices”, 
etc.). 


Appendix B, Policy C(g). 

Calls to action in a Framework UI must not be invisible, illegible, 
or appear disabled. While calls to action do not need to be 
identical, to ensure they are clearly visible, they must have 
matching text treatment (font, font size, font style) and, for the 
text of each, a minimum contrast ratio of 5 to 1. To the extent 
that an Initial Layer has more than two calls to action, this policy 
only applies to the two primary calls to action. 
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Does the 1st layer of the Ul show 
the number of the third party 
Vendors? 


If the 1st layer of the UI provides 
information about the Purposes 
and Special Features used by 
Vendors using modified Stack 
descriptions, is the 


UseNonStandardTexts flag set to 
1? 


Does the UI show Purposes and 
Features with their standard 
names or Stacks? 


Appendix B: Policy C(b)/(Ill). 

Must include information about the fact that third party Vendors 
will be storing and/or accessing information from the user’s 
device and processing their personal data, the number of third 
party Vendors (which may also include Vendors not participating 
in the Framework), and a link to the list of named third parties. 


Chapter IV: Policy for Publishers; 21(6). 

A Publisher must not modify, or instruct its CMP to modify, Stack 
descriptions and/or their translations unless (a) the Publisher has 
registered a private CMP with the Framework, or its commercial 
CMP is using a CMP ID assigned to the Publisher for use with a 
private CMP; (b) the modified Stack descriptions cover the 
substance of standard Stack descriptions, such as accurately 
and fully covering all Purposes that form part of the Stack; (c) 
Vendors are alerted to the fact of a Publisher using custom Stack 
descriptions through the appropriate Signal in accordance with 
the Specification. 


Secondary layers checks 


Appendix B, Policy B(b). 

When providing transparency about Purposes and Features, the 
Framework UI must do so only on the basis of the standard 
Purpose, Special Purpose, Feature, and Special Feature names 
and definitions of Appendix A as they are published on the 
Global Vendor List or using Stacks in accordance with the 
Policies and Specifications. Uls must make available the 
standard user-friendly text, and where applicable the standard 
illustrations for each Purpose, Special Purpose, Feature, 
Special Feature and Category of data of Appendix A 


Appendix B, Policy B(c). 
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Can users review the standard 
user-friendly texts and 
illustrations? 


Where the Framework UI uses a language other than English, 
the Framework UI must do so only on the basis of official 
translations of the standard Purpose, Special Purpose, Feature, 
Special Feature and Category of data names and definitions of 
Appendix A as they are published on the Global Vendor List. 


Appendix B, Policy C(b)(IV). 

Must include the list of the distinct and separate Purposes for 
which the Vendors are processing data, using at least the 
standardised names and/or Stack names as defined in Appendix 
A. 


Appendix B, Policy C(c)(Il). 

review the list of Purposes, Special Purposes, Features, and 
Special Features including their standard name, their full 
standard user-friendly text and where applicable their 
illustrations, as defined in Appendix A, the number of Vendors 
seeking consent for each of the Purposes (which may also 
include Vendors not participating in the Framework), and have a 
way to see those Vendors; 


Appendix B, Policy B(b). 

When providing transparency about Purposes and Features, the 
Framework UI must do so only on the basis of the standard 
Purpose, Special Purpose, Feature, and Special Feature names 
and definitions of Appendix A as they are published on the 
Global Vendor List or using Stacks in accordance with the 
Policies and Specifications. Uls must make available the 
standard user-friendly text, and where applicable the standard 
illustrations for each of Purpose, Special Purpose, Feature, 
Special Feature and Category of data of Appendix A. 
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If the Ul includes non-TCF 
Vendors, are they presented 
separately? 


Does the UI provide information 
about third party Vendors 
processing personal data based 
on legitimate interest (if any)? 


Appendix B, Policy B(e). 

For the avoidance of doubt, Framework Uls may be used to also 
provide transparency, and request consent, for purposes and/or 
vendors, that are not covered by the Framework. However, users 
must not be misled to believe that any non-Framework purpose 
and/or vendor are part of the Framework or subject to its 
Policies. If the Framework UI includes non- Framework purposes 
and/or vendors the Framework UI must make it possible for 
users to distinguish between Vendors registered with the 
Framework, and Purposes defined by the Framework, and those 
who are not. 


Appendix B, Policy C(e). 

If a UI displays Vendors who are not registered with IAB Europe 
for participation in the Framework, the UI must make it possible 
for users to distinguish between Vendors registered with the 


Framework, and those who are not. The UI must not mislead 
others as to the Framework participation of any of the Vendors 
who are not registered with the MO. 


Appendix B, Policy C(b)(IX). 

Should include information about the fact that some Vendors (if 
any) are not requesting consent, but processing the user’s data 
on the basis of their legitimate interest; the fact that the user has 
a right to object to such processing; and a link to the relevant 
layer of the Framework UI dealing with processing on the basis 
of legitimate interests where more information can be found. 


Appendix B, Policy D(a). 

When providing transparency about Purposes, Special 
Purposes, Features, Special Features, and Vendors in 
connection with a legitimate interest for the same, transparency 
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Does the Ul advise the user of 
their right to object to their 
personal data being processed 
on the basis of legitimate interest 
(if any)? 


Is the user able to review the list 
of Vendors, their Purposes, 
Special Purposes, Features, 
Special Features, associated 
Legal Bases and a link to their 
privacy policy, as well as make 
granular choices per Purpose 
and per Vendor (when 
applicable)? 


must be provided at least through an easily accessible link to the 
relevant layer of the Framework UI dealing with processing on 
the basis of legitimate interests. 


Appendix B, Policy D(b). 

When providing transparency about Purposes, Special 
Purposes, Features, Special Features, and Vendors in 
connection with both requesting a user’s consent for the same 
and a legitimate interest, Policy C(a) applies, and the easily 
accessible link to the relevant layer of the Framework UI dealing 
with processing on the basis of legitimate interests required 
under Policy D(a) must be included in the Initial Layer of the 
Framework UI presented in line with Policy C(a). 


Appendix B, Policy C(b)(IX). 

Should include information about the fact that some Vendors (if 
any) are not requesting consent, but processing the user’s data 
on the basis of their legitimate interest; the fact that the user has 
a right to object to such processing; and a link to the relevant 
layer of the Framework UI dealing with processing on the basis 
of legitimate interests where more information can be found. 


Appendix B, Policy C(c)(I). 
review: 


o the list of named Vendors and a link to each 
Vendor’s privacy policy, 
their Purposes, Special Purposes, associated 
Legal Bases and corresponding retention period, 
their Features and, Special Features, and 
the categories of data collected and processed; 


Appendix B, Policy C(c)(Il). 
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Does the 2nd layer allow users to 
make granular and specific opt-in 
choices with respect to each 
Special Feature (when 
applicable)? 


Are user choices set to 'off' by 
default? 


review the list of Purposes, Special Purposes, Features, and 
Special Features including their standard name, their full 
standard user-friendly text and where applicable their 
illustrations, as defined in Appendix A, the number of Vendors 
seeking consent for each of the Purposes (which may also 
include Vendors not participating in the Framework), and have a 
way to see those Vendors; 


Appendix B, Policy C(c)(IlI). 

Make granular and specific consent choices with respect to each 
Vendor, and, separately, each Purpose for which the Publisher 
chooses to obtain consent on behalf of or more Vendors. 


Appendix B, Policy C(h). 

By way of derogation from Appendix B, Policies C(c)(iii) and (iv) 
and C(d), a Publisher shall not be required to allow a user to 
make granular and specific consent or opt-in choices if the 
Publisher implements a way for the user to access its content 
without consenting through other means, for example by offering 
paid access that does not require consenting to any Purposes. 
For the avoidance of doubt, all other Policies remain applicable. 


Appendix B, Policy C(c)(IV). 

Make granular and specific opt-in choices with respect to each 
Special Feature for which the Publisher chooses to obtain 
opt-ins on behalf of one or more Vendors. 


Appendix B, Policy C(d). 

When a user accesses a layer, which will be a secondary layer 
when using a layered approach, allowing them to make granular 
and specific consent choices with respect to each Purpose, 
under Policy C(c)(IIl), and/or to make granular and specific opt-in 
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If legitimate interest is used by 
any Vendors as a legal basis, 
does the information in the 2nd 
layer specify the nature of 
processed information and its 
scope? 


If legitimate interest is used by 


any Vendors as a legal basis, 
does the 2nd layer allow users to 
object to the processing of their 
personal data, per Purpose and 
per Vendor? 


Does the 2nd UI layer provide 
information about  Vendors' 
maximum device storage 
duration including whether such 
duration may be refreshed and, 
where applicable, additional 
purpose-specific storage? 


choices with respect to each Special Feature under Policy 
C(c)(IV) the default choice must be “no consent”, “no opt in” or 
“off”. 


Appendix B, Policy D(c)(I). 

See information about the fact that personal data is processed, 
and the nature of the personal data processed (e.g. unique 
identifiers, browsing data). 


Appendix B, Policy D(c)(Il). 

See information about the scope of the legitimate interest 
processing and scope of any objection to such processing, i.e. 
service-specific scope, or group-specific scope. If group-specific 
scope, a link with information about the group. 


Appendix B, Policy D(c)(IIl). 
Access controls within the Framework UI to object to processing 
of their personal data on the basis of a legitimate interest. 


Appendix B, Policy D(c)(V). 

Exercise their right to object with respect to processing under a 
legitimate interest for each Vendor, and, separately, each 
Purpose for which the Publisher chooses to help establish 
Vendors transparency. 


Appendix B, Policy C(c)(VIl). 

Where applicable, review Vendors’ maximum device storage 
duration and whether Vendors refresh such duration (by stating, 
for example, that “duration may expire [n] months/days from your 
last interaction with the property”, where [n] represents the 
maximum duration for which the Vendor considers the user 
consent as valid) as well as, where available, review any 
additional purpose specific storage and access information 


ope 


eos 
IaD: 
a 


OO E provided by a Vendor in accordance with the Specifications. a 


Does the secondary layer show 
the number of Vendors seeking 
consent or relying on legitimate 
interest for each Purpose? 


Does the secondary layer allow 
users to access Vendors’ 
information about their legitimate 
interest at stake, where 
applicable? 


Does the secondary layer provide 
information about Vendors' 
retention periods? 


Appendix B: Policy C(c)(Il). 

Review the list of Purposes, Special Purposes, Features, and 
Special Features including their standard name and their full 
standard user-friendly text, as defined in Appendix A, the number 
of Vendors seeking consent for each of the Purposes (which 
may also include Vendors not participating in the Framework), 
and have a way to see those Vendors; 


Appendix B: Policy D(c)(IV). 

Review the list of Purposes and Special Purposes including their 
standard name, their full standard user-friendly text and where 
applicable their illustrations, as defined in Appendix A, the 
number of Vendors processing their data for each of the 
Purposes on the basis of legitimate interest (which may also 
include Vendors not participating in the Framework), and have a 
way to see those Vendors; 


Appendix B: Policy D(c)(VI) 
review: 


o the list of named Vendors, and a link to each 
Vendor’s privacy policy, 
their Purposes, Special, Purposes, associated 
Legal Bases (and a link to each Vendor's 
explanation of its legitimate interest(s) at stake) 
and corresponding retention period, 
their Features, Special Features and 
the categories of data collected and processed 


Appendix B, Policy C(c)(I). 
review: 
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Does the secondary layer 
disclose the categories of data 
collected and/or already held by 
Vendors? 


the list of named Vendors and a link to each 
Vendor’s privacy policy, 

their Purposes, Special Purposes, associated 
Legal Bases and corresponding retention period, 
their Features and, Special Features, and 

the categories of data collected and processed; 


Appendix B: Policy D(c)(VI) 


review: 
O 


the list of named Vendors, and a link to each 
Vendor’s privacy policy, 

their Purposes, Special, Purposes, associated 
Legal Bases (and a link to each  Vendor’s 
explanation of its legitimate interest(s) at stake) 
and corresponding retention period, 

their Features, Special Features and 

the categories of data collected and processed 


Appendix B, Policy C(c)(I). 


review: 
O 


O 
O 


the list of named Vendors and a link to each 
Vendor’s privacy policy, 

their Purposes, Special Purposes, associated 
Legal Bases and corresponding retention period, 
their Features and, Special Features, and 

the categories of data collected and processed; 


Appendix B: Policy D(c)(VI) 
review: 


O 


the list of named Vendors, and a link to each 
Vendor’s privacy policy, 
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If the secondary layer of the UI 
provides modified or additional 
illustrations about the Purposes 
and Special Purposes used by 
Vendors, is the 
UseNonStandardStacks flag set 
to1? 


Is the user able to resurface the 
CMP Ul easily? 


their Purposes, Special, Purposes, associated 
Legal Bases (and a link to each Vendor's 
explanation of its legitimate interest(s) at stake) 
and corresponding retention period, 

their Features, Special Features and 

the categories of data collected and processed 


Chapter IV: Policy for Publishers; 21(7). 

A publisher must not modify or supplement, or instruct its CMP to 
modify or supplement, standard illustrations and/or their 
translations unless: (a) the Publisher follows any guidance that 
may be disseminated or updated by the MO so that the modified 
or additional illustrations provide accurate examples of data 
processing operations performed by Vendors under the 
Purposes; (b) the Publisher can modify only one of the two 
standard illustrations presented for each Purpose. Modifying the 
standard illustrations for Special Purposes and Purpose 1 (store 
and/or access information on a device) is not permitted; (c) 
Vendors are alerted to the fact of a Publisher using custom 
illustrations through the appropriate Signal in accordance with 
the Specification. 


Resurfacing of the UI 


Appendix B: Policy (C)(f). 

A user must be able to resurface the Framework UI from an 
easily accessible link or call to action, such as a floating icon or a 
footer link available on each webpage of the Publisher’s website, 
or from the top-level settings of the Publisher’s app as to allow 
them to withdraw their consent as easily as it was to give it. 
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ope 


e 15 
IQD: 
a 


Is the user able to withdraw their | Appendix B: Policy (C)(f) 

consent as easily as they were | If a call to action for the user to express their consent for all 
Purposes and Vendors was provided in the Initial Layer of the 
Framework Uls used to request the user’s consent (for example 


able to give consent? 


4.Vendor Checklist 


Number Audited elements 


Writing of cookies 

This check passes when there is 
no setting of cookies by the 
Vendor when there is no consent 
signal for purpose 1 or no 
consent signal for the vendor. 


Cookie duration 

This check passes when the 
Vendors’ cookies have a 
max-age less or equal to the 
max-age registered in the GVL. 


“Consent to all”), an equivalent call to action for the user to 
withdraw their consent for all Purposes and Vendors must be 
provided in the Framework UI that the user resurfaces (for 
example “Withdraw consent to all”). 


TCF Policies references 


Technical checks 


Chapter Ill: Policies for Vendors (14)(1); 

A Vendor must not store information or access information on a 
user's device without consent, unless the law exempts such 
storage of information or accessing of information on a user’s 
device from an obligation to obtain consent. 


Chapter Ill: Policies for Vendors (14)(2bis); 

A Vendor shall indicate on the GVL the maximum duration of 
information stored on a user’s device, including whether such 
duration may be refreshed. A Vendor must, in addition, provide 
more detailed and purpose-specific storage and access information 
in accordance with the Specifications. 


Applicable 


enforcement 


procedure 
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Integrity of TCF signals 

This check passes if no TC 
String is found in request URLs 
when no TC String is returned by 
the CMP API. 

This check passes if when the 
GDPR_CONSENT macro is 
present, its content is the same 
as the TC string returned by the 
CMP API. 


Passing of personal data from 
a Vendor to another 

This check passes if the Vendor 
only initiates another Vendor’s 
redirect that includes a UID when 


the receiving Vendor has a legal 
basis for processing. 


Use of the addEventListener” 
CMP command 

Applicable where the Vendor is 
able to execute Javascript. This 
check passes if the Vendor has 
registered a listener function via 
addEventListener to retrieve 
changed TC Strings in real-time. 


Reliance on TCF 
returned by CMPs 
This check fails if the Vendor 


signals 


Chapter Ill: Policies for Vendors (12)(6); 

A Vendor must not create Signals where no CMP has 
communicated a Signal, and shall only transmit Signals 
communicated by a CMP or received from a Vendor who forwarded 
a Signal originating from a CMP without extension, modification, or 
supplementation, except as expressly allowed for in the Policies 
and/or Specifications. 


Chapter Ill: Policies for Vendors (14)(15); 

A Vendor must not transmit personal data to another Vendor unless 
the Framework’s Signals show that the receiving Vendor has a 
Legal Basis for the processing of the personal data. For the 
avoidance of doubt, a Vendor may in addition choose not to 
transmit any data to another Vendor for any reason. 


Chapter Ill: Policies for Vendors (12)(3); 

A Vendor must respect Signals communicated by a CMP or 
received from a Vendor who forwarded the Signal originating from 
a CMP in accordance with the Specifications and Policies, and act 
accordingly. A Vendor must respect Signals on an individual basis 
in real-time and must not rely on a stored version of a previously 
received Signal to store and/or access information on a device, or 
to process personal data for any Purpose and/or use any Special 
Feature where a more recent Signal has been received by that 
Vendor. 


Chapter Ill: Policies for Vendors (12)(3); 
A Vendor must respect Signals communicated by a CMP or 
received from a Vendor who forwarded the Signal originating from 


iab 


ope 


4 
D 
o 
a 


stores the TC String in 
proprietary storage mechanism 
instead of retrieving the TC 
String according to the Technical 
Specifications. 


Availability and language of 
Privacy Policy URLs 
The URLs to the Vendor's 
Privacy Policy are available and 
in the language indicated when 
registering to the GVL. 


Availability and language of 
Legitimate Interest at stake 
URLs 

The URLs to 
explanation of 


the Vendor’s 
its Legitimate 


a CMP in accordance with the Specifications and Policies, and act 
accordingly. A Vendor must respect Signals on an individual basis 
in real-time and must not rely on a stored version of a previously 
received Signal to store and/or access information on a device, or 
to process personal data for any Purpose and/or use any Special 
Feature where a more recent Signal has been received by that 
Vendor. 


Registration checks 


Chapter Ill: Policies for Vendors (9)(5); 

A Vendor will provide to the MO, and maintain as complete and 
accurate, all information required for inclusion in the GVL, 
according to the GVL Specifications. This includes the Purposes 
and Special Purposes for which it collects and processes personal 
data, the Legal Bases it relies on for processing personal data for 
each Purpose and Special Purpose and, where applicable, a link to 
an explanation of its legitimate interest(s) at stake, the retention 
period of data processed for each Purpose and Special Purpose, 
the Features and Special Features it relies on in pursuit of such 
Purposes and Special Purposes, the categories of data it collects 
and processes in pursuit of the Purposes and Special Purposes it 
has declared, and its requirements regarding storing and/or 
accessing information on users’ devices. It will ensure its Purposes, 
Legal Bases, and access to a user’s device, are completely and 
accurately included in the GVL. It will notify the MO of any changes 
in a timely manner. 


Chapter Ill: Policies for Vendors (9)(5); 

A Vendor will provide to the MO, and maintain as complete and 
accurate, all information required for inclusion in the GVL, 
according to the GVL Specifications. This includes the Purposes 
and Special Purposes for which it collects and processes personal 
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ope 


eos 
IaD: 
o 


Interest(s) at stake are available | data, the Legal Bases it relies on for processing personal data for 

and in the language indicated | each Purpose and Special Purpose and, where applicable, a link to 

when registering to the GVL. an explanation of its legitimate interest(s) at stake, the retention 
period of data processed for each Purpose and Special Purpose, 
the Features and Special Features it relies on in pursuit of such 
Purposes and Special Purposes, the categories of data it collects 
and processes in pursuit of the Purposes and Special Purposes it 
has declared, and its requirements regarding storing and/or 
accessing information on users’ devices. It will ensure its Purposes, 
Legal Bases, and access to a user’s device, are completely and 
accurately included in the GVL. It will notify the MO of any changes 
in a timely manner. 


Availability of the | Chapter Ill: Policies for Vendors (9)(5); 
deviceStorage.json URL A Vendor will provide to the MO, and maintain as complete and 
This check passes if the Vendor | accurate, all information required for inclusion in the GVL, 
has provided a secure URL to a | according to the GVL Specifications. This includes the Purposes 
JSON resource that conforms to | and Special Purposes for which it collects and processes personal 
the containing disclosures | data, the Legal Bases it relies on for processing personal data for 
related to the TCF Technical | each Purpose and Special Purpose and, where applicable, a link to 
Specifications here and contains | an explanation of its legitimate interest(s) at stake, the retention 
purpose-specific storage and | period of data processed for each Purpose and Special Purpose, 
access information and web | the Features and Special Features it relies on in pursuit of such 
domains used for collecting and | Purposes and Special Purposes, the categories of data it collects 
processing personal data. and processes in pursuit of the Purposes and Special Purposes it 
has declared, and its requirements regarding storing and/or 
accessing information on users’ devices. It will ensure its Purposes, 
Legal Bases, and access to a user’s device, are completely and 
accurately included in the GVL. It will notify the MO of any changes 
in a timely manner. 


The information required when | Chapter Ill: Policies for Vendors (9) (2); 3 
registering on the Global 
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iab 


ope 


= 
= 
o 
a 


Vendor List 
missing, 
incorrect 


(GVL) is not 
partly missing or 


This includes the additional 
information that does not appear 
in the GVL JSON file but is made 
available in a separate JSON file 
as per the TCF Technical 
Specification here. 


Vendors must provide all information requested by the MO that is 
reasonably required to fulfil the MO’s application and approval 
procedures. 

Chapter Ill: Policies for Vendors (9) (5); 

A Vendor will provide to the MO, and maintain as complete and 
accurate, all information required for inclusion in the GVL, 
according to the GVL Specifications. This includes the Purposes 
and Special Purposes for which it collects and processes personal 
data, the Legal Bases it relies on for processing personal data for 
each Purpose and Special Purpose and, where applicable, a link to 
an explanation of its legitimate interest(s) at stake, the retention 
period of data processed for each Purpose and Special Purpose, 
the Features and Special Features it relies on in pursuit of such 
Purposes and Special Purposes, the categories of data it collects 
and processes in pursuit of the Purposes and Special Purposes it 
has declared, and its requirements regarding storing and/or 
accessing information on users’ devices. It will ensure its Purposes, 
Legal Bases, and access to a user’s device, are completely and 
accurately included in the GVL. It will notify the MO of any changes 
in a timely manner. 
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